Actions
Bug #14893
closed
Large number of IPsec tunnels causes long filter reload times
Start date:
Due date:
% Done:
100%
Estimated time:
Plus Target Version:
24.03
Release Notes:
Default
Affected Version:
Affected Architecture:
All
Description
On a 23.05.1 system with many IPsec tunnels, reloading the filter can take over 5 minutes. This results in very slow GUI performance when editing tunnels and occasional nginx timeouts. I've replicated the issue on a system with 87 tunnels each with one phase 2 entry. Among the phase 2's, there are 42 using VTI and 45 using tunnel mode. Each VTI has an associated interface and gateway.
The system logs show occurrences of:
sonewconn: pcb 0xfffff80018f57400 (local:/var/run/charon.vici): Listen queue overflow: 5 already in queue awaiting acceptance (35 occurrences), euid 0, rgid 0, jail 0
Related issues
Updated by Jim Pingle about 1 year ago
This may be a duplicate of other existing issues such as #12335
Updated by Jim Pingle about 1 year ago
- Related to Bug #12335: IPsec DNS inefficiency added
Updated by Max Leighton about 1 year ago
In my case, all of the remote gateways are IP addresses. There shouldn't be anything in IPsec that needs to resolve a hostname in my config.
Updated by Marcos M about 1 year ago
- Status changed from New to In Progress
- Assignee set to Marcos M
- Plus Target Version set to 24.03
- Affected Architecture All added
Updated by Marcos M about 1 year ago
- Status changed from In Progress to Pull Request Review
- Target version set to 2.8.0
Updated by Marcos M about 1 year ago
- Status changed from Pull Request Review to Feedback
- % Done changed from 0 to 100
Applied in changeset 4bbbcc368bf1da815025fa51268d5de96fa73220.
Actions